GHSA-25fx-3c2q-cq46

Suggest an improvement
Source
https://github.com/advisories/GHSA-25fx-3c2q-cq46
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/05/GHSA-25fx-3c2q-cq46/GHSA-25fx-3c2q-cq46.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-25fx-3c2q-cq46
Aliases
Published
2023-05-17T15:48:04Z
Modified
2023-11-07T05:36:05.012278Z
Severity
  • 7.2 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
pimcore/customer-management-framework-bundle has SQL Injection vulnerability in Segment Assignment query
Details

Impact

An administrator user can use the inheritable segments feature to execute his own blind SQL queries.

A user with administrator privileges can run any SQL query on database. This can be used to retrieve sensitive data, change database information or any other malicious activity against the database.

Patches

Update to version 3.3.10 or apply this patch manually https://github.com/pimcore/customer-data-framework/commit/76df151737b7964ce5169fdf9e27a0ad801757fe.patch

Workarounds

Apply https://github.com/pimcore/customer-data-framework/commit/76df151737b7964ce5169fdf9e27a0ad801757fe.patch manually.

References

https://huntr.dev/bounties/cf398528-819f-456e-88e7-c06d268d3f44/

Database specific
{
    "nvd_published_at": "2023-05-17T11:15:09Z",
    "cwe_ids": [
        "CWE-89"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2023-05-17T15:48:04Z"
}
References

Affected packages

Packagist / pimcore/customer-management-framework-bundle

Package

Name
pimcore/customer-management-framework-bundle
Purl
pkg:composer/pimcore/customer-management-framework-bundle

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
3.3.10

Affected versions

1.*

1.0.0
1.0.1
1.3.17

v1.*

v1.1.0
v1.1.1
v1.2.0
v1.2.1
v1.2.2
v1.2.3
v1.2.4
v1.2.5
v1.2.6
v1.3.0
v1.3.1
v1.3.2
v1.3.3
v1.3.4
v1.3.5
v1.3.6
v1.3.7
v1.3.8
v1.3.9
v1.3.10
v1.3.11
v1.3.12
v1.3.13
v1.3.14
v1.3.15
v1.3.16
v1.3.18
v1.3.19
v1.3.20
v1.3.21
v1.4.0
v1.4.1
v1.4.2
v1.4.3
v1.4.4
v1.4.5
v1.4.6
v1.4.7
v1.4.8
v1.4.9
v1.4.10
v1.4.11
v1.4.12
v1.5.0
v1.5.1
v1.5.2
v1.5.3
v1.5.4
v1.5.5
v1.6
v1.6.1
v1.6.2
v1.6.3
v1.6.4
v1.6.5
v1.6.6
v1.6.7
v1.7.0
v1.7.1
v1.7.2
v1.7.3
v1.7.4
v1.8.0
v1.9.0
v1.9.1
v1.10.0
v1.10.1
v1.11.0
v1.12.0
v1.12.1
v1.13.0
v1.13.1
v1.14.0
v1.14.1
v1.14.2
v1.14.3
v1.14.4

v2.*

v2.0.0
v2.0.1
v2.1.0
v2.2.0
v2.2.1
v2.3.0
v2.3.1
v2.3.2
v2.3.3
v2.4.0
v2.4.1
v2.4.2
v2.4.3
v2.4.4
v2.4.6
v2.4.7
v2.5.0
v2.5.2
v2.5.3
v2.5.4
v2.5.5
v2.5.6
v2.5.7
v2.6.0
v2.6.1
v2.6.2

2.*

2.4.5
2.5.1

v3.*

v3.0.0
v3.0.1
v3.0.2
v3.0.3
v3.1.0
v3.1.1
v3.2.0
v3.2.1
v3.2.2
v3.2.3
v3.2.4
v3.2.5
v3.2.6
v3.2.7
v3.2.8
v3.2.9
v3.2.10
v3.2.11
v3.2.12
v3.2.13
v3.2.14
v3.3.0
v3.3.1
v3.3.2
v3.3.3
v3.3.4
v3.3.5
v3.3.6
v3.3.7
v3.3.8
v3.3.9